Glossary

Access audit: the process to determine what access each individual should have based on the data provided by the Person Registry and the current security policies.

Access control: the act of limiting access to information system resources only to authorized users, programs, processes, or other systems.

Access control models: a description of the availability of resources in a system.

Access control list: a list of permissions attached to specified objects. Often abbreviated as ACL.

Access management system: the policies, procedures and applications which take the data from the Person Registry and the Systems of Record to make decisions on granting access to resources.

Access registry: a utility that provides security administrators with a single view of an individual's accounts and permissions across the entire organization.

Action: the activity performed by the agent in order to affect the confidentiality, integrity, or availability of the asset.

Active Directory: the collection of technologies that provide centralized user management and access control across all computers that are “members” of the domain.

Active Directory Federation Services: a service that extends the Active Directory system to support federated access to local and external resources using SAML and related protocols. Commonly abbreviated as ADFS.

Advanced persistent threat: a sustained, human-intensive attack that leverages the full range of computer intrusion techniques.

Anomaly-based detection: the process of detecting deviations between observed events and defined activity patterns.

Asset: a resource or information that is to be protected.

Asset criticality: a measure of the importance of an asset to the immediate survival of an organization.

Asset owner: the individual or unit with operational responsibility for all unanticipated functions involved in securing an asset.

Asset sensitivity: extent of damage caused to the organization by a breach of confidentiality or integrity of the asset.

Authentication: the process that a user goes through to prove that he or she is the owner of the identity that is being used.

Authentication token: a unique identifier or cryptographic hash that proves the identity of the user in possession of the token.

Availability: ensuring timely and reliable access to and use of information.

Biometric devices: devices that analyze the minute differences in certain physical traits or behaviors, such as fingerprints or voice patterns, to identify an individual.

Biometric markers: observable physical differences among people.

Block encryption: the process of converting a plaintext block into an encrypted block.

Brute-force attack: amethod by which a hacker tries to gain access to an account on the target system by trying to “guess” the correct password.

Buffer overflow vulnerability: the situation where a program is able to put more data into a storage location than it can hold.

Business impact analysis: the identification of services and products that are critical to the organization.

Central Authentication Service protocol: one of the leading open source single sign-on technologies, especially in higher education.

Certificate: a bundle of information containing the encrypted public key of the server, and the identification of the key provider.

cd: the command (change directory) that allows us to switch to another directory. The target folder name is specified as the argument to the command.

Checksum: a value computed on data to detect error or manipulation during transmission.

Ciphertext: the encrypted text that is unintelligible to the reader.

Cloud computing: the delivery of software and other computer resources as a service over the Internet, rather than as a stand-alone product.

Compliance: the act of following applicable laws, regulations, rules, industry codes, and contractual obligations.

Computer security incident: a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Compromised passwords: passwords on the system that are known to unauthorized users.

Confidentiality: preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Configuration: the act of selecting one among many possible combinations of features of a system.

Controls: safeguards used to minimize the impact of threats.

Control activities: procedures, methods, and policies that responsible persons use to reduce the likelihood of occurrence of risky events to acceptable levels.

Credentials: the piece (or pieces) of information used to verify the user's identity.

Cross-site scripting: a vulnerability that occurs when user-supplied input is used without verification as part of the output served to other users.

Cryptanalysis: the art of breaking ciphertext.

Cryptographic algorithm: a well-defined sequence of steps used to describe cryptographic processes.

Cryptography: the art or science of rendering plain information unintelligible, and for restoring encrypted information to intelligible form.

Deep packet inspection firewalls: devices that examine the data carried by a packet, in addition to the protocol headers, to decide how to handle the packet.

Default allow stance: a firewall configuration that allows all packets into the network, except those that are explicitly prohibited.

Default deny stance: a firewall configuration that blocks all packets, except those explicitly allowed.

Deferrable asset: an asset that is needed for optimal operation of the organization but whose loss of availability would not cause major issues to the organization in the near term.

Demilitarized zone: see perimeter network.

Denial of service: the unauthorized prevention of access to resources or the delaying of time-critical operations.

Digital signatures: cryptographic transformations of data that allow a recipient of the data to prove the source (non-repudiation) and integrity of the data.

Disaster: a calamitous event that causes great destruction.

Disaster recovery: the process adopted by the IT organization in order to bring systems back up and running. Commonly abbreviated as DR.

Discovery service: a service that provides the user with a list of the trusted organizations that they can choose from to authenticate.

Distributed denial-of-service attack: the use of many compromised systems to cause denial of service for users of the targeted system. Commonly abbreviated as DDoS.

Domain controller: the server that implements the active directory rules within a domain.

Encryption: the cryptographic transformation of data to produce ciphertext.

End point protection: the security implemented at the end-user device.

Essential asset: an asset whose loss of availability would cause immediate severe repercussions for the organization.

Evasion: the act of conducting malicious activity so that it looks safe.

False positive: a find that appears to be a problem (a positive) but upon further investigation turns out not to be a problem (therefore, false).

Federation: bridging the gap between authentication systems in separate organizations.

Federation metadata: a document containing a comprehensive list of all federation members and important data, such as organization and contact information, for each identity providers.

Federation provider: the entity responsible for all administrative tasks related to running the identity federation, such as membership management, creating and enforcing federation policies, and managing the Public Key Infrastructure (PKI) needed for cryptographic operations.

Firewall: a form of protection that allows one network to connect to another network while maintaining some amount of protection.

Framework: a structure for supporting something else.

General assets: assets that are found in most organizations.

Group policy: an infrastructure that allows you to implement specific configurations for users and computers.

Hash functions: encryption methods that use no keys.

Hidden files: files whose existence is hidden from users by default.

Home directory: a user's personal space on a computer, analogous to the Documents folder in Windows. The term is popular in UNIX systems.

Host-based IDSs: software applications installed on individual hosts that monitor local activity such as file access and system calls for suspicious behavior. Sometimes abbreviated as HIDSs.

Hot spares: redundant components that are housed inside a server and that can replace the failed component with no downtime.

Identification: the presentation of a user identity for the system.

Identifier: a string of digits which uniquely identifies an identity in an SoR.

Identity: a distinct record stored in a System of Record.

Identity enrichment: collecting data about each individual's relationship to the organization.

Identity management: the processes of identifying individuals and collating all necessary data to grant or revoke privileges for these users to resources.

Identity matching: the process of searching the existing Person Registry for one or more records that match a given set of identity data.

Identity merge: combining the new or updated record with data associated with the existing person record.

Identity reconciliation: the process of comparing each discovered identity to a master record of all individuals in the organization.

Idiosyncratic assets: assets that are distinct to an organization.

Incident response policy: standard methods used by the organization for handling information security incidents.

Information asset: digitally stored content owned by an individual or organization.

Information security: protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

Information security controls: safeguards used to minimize the impacts of information security threats.

Information security model: a representation of the core components of information security, showing the relationship of these components to each other, and excludes everything else.

IT general controls: control activities performed by IT that ensure the correct processing of business transactions by the organization.

IT risk: risk associated with the use of information systems in an organization.

IT system: an assembly of computer hardware, software, and firmware configured for the purpose of processing, storing, or forwarding information.

Infrastructure as a Service: a business model in which an organization uses hardware equipment such as processors, storage, and routers from a service provider. Commonly abbreviated as IaaS.

Input validation vulnerability: a situation where user input is used in the software without confirming its validity.

Installation: the act of writing the necessary data in the appropriate locations on a computer's hard drive-for running a software program.

Integrity: guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Intellectual property: creations of the mind (inventions, literary and artistic works, and symbols, names, images, and designs) that can be used for profit. Commonly abbreviated as IP.

Interior firewall: a device that limits access to the organization's internal network.

Internal agents: people linked to the organization, often as employees.

Internal network: the location of all the organization's information assets. Also called the militarized zone.

Intrusion detection systems: hardware devices or software applications that monitor IT systems for malicious activity or violations of usage policies established by the system administrator. Commonly abbreviated as IDS.

Intrusion prevention systems: technologies that build on IDS and attempt to stop potential intrusions.

Kerberos: an authentication protocol that allows nodes in an insecure network to securely identify themselves to each other using tokens.

Kernel: the software which provides controls for hardware devices, manages memory, executes code on the computer's CPU, and hides the details of the underlying physical hardware from user applications.

Key loggers: software that tracks (logs) the keys struck on a keyboard, typically trying to gather user-names and passwords.

IT-related legal assets: contractual arrangements that guide the use of hardware and software assets within the organization.

Logs: records of the performance of a machine.

Malware: software or code specifically designed to exploit a computer, or the data it contains, without the user's consent.

Missing authorization vulnerability: a vulnerability that happens when a software program allows users access to privileged parts of the program without verifying the credentials of the user.

Mission statement: short (preferably one or two sentences long) expression of an organization's services, its target market, and its competitive advantages.

Model: a representation of the real world.

Monitoring: the act of listening and/or recording the activities of a system to maintain performance and security.

Mono-alphabetic substitution: encryption scheme of replacing individual letters with other letters for the purpose of encryption.

Need-to-know: an information management principle where a person is only provided the information that is necessary to perform their job.

Network firewalls: hardware or software that prevent the dangers originating on one network from spreading to another network.

Network IDS: device that monitors network traffic and application protocol activity to identify suspicious connections.

OAuth: a mechanism that allows a user to grant access to private resources on one site (the service provider) to another site (the consumer).

Open source software: software in which anyone is able to modify the source code and distribute his or her changes to the world.

Operational responsibilities: the responsibility of an individual or entity for a specific function related to the use of an asset.

Operating systems: software that manages computer hardware and provides common services to user applications.

Operating system updates: software updates that fix issues with the low-level components of the system software.

Packet filtering firewalls: firewalls that examine the protocol header fields of packets flowing through the firewall to determine whether to allow the packets to enter the network.

Packet sniffing: the act of intercepting and monitoring data passing through a computer network.

Parent directory: the directory (folder) directly about the current one in the file-system hierarchy.

Partners: any third party sharing a business relationship with the organization.

Passphrase: a sequence of words that serves as a password.

Password: a secret series of characters that only the owner of the identity knows and uses it to authenticate identity.

Password capturing: the ability of an attacker to acquire a password from storage, transmission, or user knowledge and behavior.

Password cracking: the process of generating a character string that matches any existing password string on the targeted system.

Password expiration: the duration for which the password may be used before it is required to be changed.

Password guessing: the act of repeatedly trying different passwords associated with a user account, such as default passwords and dictionary words, until the correct password is found.

Password management: the process of defining, implementing, and maintaining password policies throughout an enterprise.

Password policy: a set of rules for using passwords.

Password replacing: the substitution of the user's existing password with a password known to the attacker.

Password synchronization: ensuring that the user has the same username and password in all systems.

Patch: software that corrects security and functionality problems in software and firmware.

Patch management: the process of identifying, acquiring, installing, and verifying patches.

Perimeter firewall: the firewall that lies between the external network and the organization.

Perimeter network: the network that lies between the external network and the organization's internal network. The perimeter network hosts external services such as http, smtp, and DNS. The perimeter network is commonly called the demilitarized zone.

Permutation: a specification of the output position of each of the k input bits.

Person Registry: the central hub that connects identifiers from all Systems of Records into a single “master” identity and makes the correlation and translation of identity data (such as Student ID to Employee ID) possible.

Identity creation: the function that creates a new person record and identifier in the Person Registry.

Personal identification number: a short (4–6 digits), numerical password. Commonly abbreviated as PIN.

Phishing: attempting to compromise a user by masquerading as a trustworthy entity in electronic communication.

Physical controls: traditional non-technical methods of preventing harm.

Policy: a document that records a high-level principle or course of action that has been decided on.

Proactive testing: the act of testing a system for specific issues before such issues occur.

Procedural controls: prescribed plans of action that govern the use of computer resources.

Procedural vulnerability: a weakness in an organization's operational methods, which can be exploited to violate the security policy.

Protocol-state-based IDS: an IDS that compares observed events against defined protocol activity for each protocol state to identify deviations.

Public-key cryptography: encryption methods that use two keys, one for encryption and another for decryption.

Reactive monitoring: the act of detecting and analyzing failures after they have occurred.

Recursion: the act of defining a function in terms of itself.

Redundancy: surplus capability, which is maintained to improve the reliability of a system.

Reputation-based end point protection: predicting the safety of a file based on a reputation score calculated using the file's observable attributes.

Required asset: an asset that is important to the organization, but the organization would be able to continue to operate for a period of time even if the asset is not available.

Restricted asset: an asset in which disclosure or alteration would have adverse consequences for the organization.

Risk: a quantitative measure of the potential damage caused by a specified threat.

Risk assessment: identifying and aggregating the risks facing the organization.

Risk frame: describing the environment in which risk-based decisions are made. This helps in establishing the context for risk management.

Risk management: managing the financial impacts of unusual events.

Risk monitoring: evaluating the effectiveness of the organization's risk management plan over time.

Risk response: defining an organization's response to risks once they are determined from risk assessments.

Role: an individual's relationship to the organization. Also called affiliation.

Role-based access control: granting individuals in specified job roles the access privileges associated with the corresponding system role. Commonly abbreviated as RBAC, it assigns permissions to user roles rather than to individual users.

Rootkit: collections of software programs designed to hide the existence of certain specific computer processes or programs from normal methods of detection.

Controls: safeguards used to minimize the impact of threats.

Scope: the part of the incident response policy that specifies the targets of the policy.

Secret key cryptography: encryption methods that use one key for both encryption and decryption.

Separation of duties: a constraint where more than one person is required to complete a task.

Service level agreement: the specification of what and how IT will deliver and manage the expectations of the customer or system owner. Commonly abbreviated as SLA.

Shell: a text-based program that allows the user to interact directly with the kernel.

Shibboleth: an open-source identity management and federated access-control infrastructure based on Security Assertion Markup Language (SAML).

Signature: a sequence of bytes that is known to be a part of malicious software.

Single point of failure: a part of a system whose failure will stop the entire system from working.

Single sign-on: technology that allows a user to authenticate once and then access all the resources the user is authorized to use. Commonly abbreviated as SSO.

Social engineering: the art of manipulating people into performing desired actions.

Software as a Service: a delivery mechanism in which an application and all of the associated resources are provided to organizations by a vendor, typically through a web browser. Commonly abbreviated as SaaS.

Software assets: software tools needed to manipulate the organization's information to accomplish the organization's mission.

Software update: the act of replacing defective software components with components in which the identified defects have been removed.

Software vulnerability: an error in the specification, development, or configuration of software such that its execution can violate the security policy.

SQL injection vulnerability: the use of unvalidated SQL input in applications.

Standard: a defined set of rules, accepted and adopted by several organizations.

Steganography: hiding information in a way such that no one suspects the existence of the message.

Substitution: specification of the k-bit output for each k-bit input.

System administration: a set of functions that provides support services, ensures reliable operations, promotes efficient use of the system, and ensures that prescribed service-quality objectives are met.

System administrator: the person responsible for the day-to-day operation of a technology system.

System of Record: records from which information is retrieved by the name, identifying number, symbol, or other identifying particular assigned to the individual. Sometimes abbreviated as SOR.

System profiling: the act of putting together all the assets inventoried, grouping them by function, and understanding the dependencies between these assets.

System security officer: the person responsible for writing, enforcing, and reviewing security operating procedures in an organization.

Technical controls: the information security measures built into the information system itself.

Threat: the capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets.

Threat agent: the individual, organization, or group that originates a particular threat action.

Threat model: interactions between relevant agents, actions, and assets facing an organization.

Tokens: physical objects (or in the case of software tokens, stored on a physical object) that must be presented to prove the user's identity.

Unencrypted data vulnerability: the situation where sensitive data is stored locally or transmitted over a network without proper encryption.

Unrestricted assets: assets not classified as restricted. It is the data that, if leaked or viewed by someone, would not cause problems for the organization.

Unrestricted uploads vulnerability: the vulnerability created when files are accepted by software without verifying that the file follows strict specifications.

User management: defining the rights of organizational members to information in the organization.

Viruses and worms: computer programs that adversely affect computers and propagate through the network without the user's consent.

Vision statement: a statement that articulates the organization's aspirations.

Vulnerability: a weakness in an information system that gives a threat the opportunity to compromise an asset.

Web mashup: a web page or application that combines data from one or more web-based APIs into a new service.

Zero-day exploit: an attack that compromises a previously unknown vulnerability in computer software.

Zombie: a computer connected to the Internet that has been compromised in such a way that it performs malicious tasks at the direction of a remote controller. Typically caused by the installation of a zombie client.

Zombie client: the software that takes directions from a remote computer and uses the infected computer to perform malicious tasks as directed.